General

1
Authentication
CS 6262 Fall 02
2
Password

• Proof by knowledge, sharing
• Password guessing
• On-line limit tries, alarm
• Off-line dictionary attack
• Storing passwords
• Per-node /etc/passwd
• Server authentication storage server, retrieved
  by node (yp/NIS)
• Facilitator server says yes/no

3
Address-based

• .rhosts
• node, user name
• /etc/hosts.equiv
• trusted hosts
• Threats
• break in one, break in all
• often A trusts B, then B trusts A
• address spoofing

4
Humans and Computers

• Humans
• Short, memorable key (8 characters, 48 bits),
  directly or as key for longer key
• Computers
• (Long) high-quality secret
• Hidden key (encrypted by password), directly
  (e.g., hash of the password)

5
Eavesdropping and Server Database Reading

• Public key
• Need to protect private key
• Use good password
• Eavesdropping
• Use random challenge with signing/encryption
  using secret
• Server database reading
• Lamport hash

6
Trusted Intermediaries

• Cant do pair-wise authentication with secret
  key key explosion
• Key distribution center (KDC)
• Single point of failure, performance bottleneck
• Certification authorities (CAs)
• Can be off-line
• Single point of failure
• Need to manage revocation list (CRL)

7
Authentication of People

• What you know (passwords)
• What you have (keys)
• What you are (biometric devices)
• Where you are (physical)

8
Trojan Horses

• A faked login prompt to capture passwords
• Counter measures
• Make it hard to have the appearance of login
  prompt
• Use interrupts
• Prevent login by user programs

9
Authentication Tokens

• What you have
• Smart cards
• Challenge/response
• Cryptographic calculator
• Interaction through a user (typing ...)

10
Biometrics

• Accuracy
• False acceptance rate.
• False rejection rate.
• Can adversary select imposters?
• Identical twins, family members, etc.
• Retinal scanner, fingerprint reader, handprint
  reader, voiceprint, keystroke timing, signature.

11
Fingerprints

• Vulnerability
• Dummy fingers and dead fingers
• Suitability and stability
• Not for people with high probability of damaged
  fingerprints
• Not for kids growing up

12
Voice Recognition

• Single phrase
• Can use tape recorder to fake
• Stability
• Background noise
• Colds
• Use with public phones

13
Keystroke Timing

• Each person has a distinct typing timing/style
• Hand/finger movements
• Suitability
• Best done for local authentication
• Avoid network traffic delay

14
Signatures

• Machines cant match human experts in recognizing
  shapes of signatures
• Add information of timing (dynamics) of movements
• Signing or an electronic tablet